1---
2###
3### Destination Controller Service
4###
5kind: ClusterRole
6apiVersion: rbac.authorization.k8s.io/v1
7metadata:
8 name: linkerd-{{.Release.Namespace}}-destination
9 labels:
10 linkerd.io/control-plane-component: destination
11 linkerd.io/control-plane-ns: {{.Release.Namespace}}
12 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
13rules:
14- apiGroups: ["apps"]
15 resources: ["replicasets"]
16 verbs: ["list", "get", "watch"]
17- apiGroups: ["batch"]
18 resources: ["jobs"]
19 verbs: ["list", "get", "watch"]
20- apiGroups: [""]
21 resources: ["pods", "endpoints", "services", "nodes"]
22 verbs: ["list", "get", "watch"]
23- apiGroups: ["linkerd.io"]
24 resources: ["serviceprofiles"]
25 verbs: ["list", "get", "watch"]
26- apiGroups: ["workload.linkerd.io"]
27 resources: ["externalworkloads"]
28 verbs: ["list", "get", "watch"]
29- apiGroups: ["coordination.k8s.io"]
30 resources: ["leases"]
31 verbs: ["create", "get", "update", "patch"]
32 {{- if .Values.enableEndpointSlices }}
33- apiGroups: ["discovery.k8s.io"]
34 resources: ["endpointslices"]
35 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
36 {{- end }}
37---
38kind: ClusterRoleBinding
39apiVersion: rbac.authorization.k8s.io/v1
40metadata:
41 name: linkerd-{{.Release.Namespace}}-destination
42 labels:
43 linkerd.io/control-plane-component: destination
44 linkerd.io/control-plane-ns: {{.Release.Namespace}}
45 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
46roleRef:
47 apiGroup: rbac.authorization.k8s.io
48 kind: ClusterRole
49 name: linkerd-{{.Release.Namespace}}-destination
50subjects:
51- kind: ServiceAccount
52 name: linkerd-destination
53 namespace: {{.Release.Namespace}}
54---
55kind: ServiceAccount
56apiVersion: v1
57metadata:
58 name: linkerd-destination
59 namespace: {{ .Release.Namespace }}
60 labels:
61 linkerd.io/control-plane-component: destination
62 linkerd.io/control-plane-ns: {{.Release.Namespace}}
63 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
64{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
65---
66{{- $host := printf "linkerd-sp-validator.%s.svc" .Release.Namespace }}
67{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
68{{- if (not .Values.profileValidator.externalSecret) }}
69kind: Secret
70apiVersion: v1
71metadata:
72 name: linkerd-sp-validator-k8s-tls
73 namespace: {{ .Release.Namespace }}
74 labels:
75 linkerd.io/control-plane-component: destination
76 linkerd.io/control-plane-ns: {{.Release.Namespace}}
77 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
78 annotations:
79 {{ include "partials.annotations.created-by" . }}
80type: kubernetes.io/tls
81data:
82 tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.crtPEM)) (empty .Values.profileValidator.crtPEM) }}
83 tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.profileValidator.keyPEM)) (empty .Values.profileValidator.keyPEM) }}
84---
85{{- end }}
86{{- include "linkerd.webhook.validation" .Values.profileValidator }}
87apiVersion: admissionregistration.k8s.io/v1
88kind: ValidatingWebhookConfiguration
89metadata:
90 name: linkerd-sp-validator-webhook-config
91 {{- if or (.Values.profileValidator.injectCaFrom) (.Values.profileValidator.injectCaFromSecret) }}
92 annotations:
93 {{- if .Values.profileValidator.injectCaFrom }}
94 cert-manager.io/inject-ca-from: {{ .Values.profileValidator.injectCaFrom }}
95 {{- end }}
96 {{- if .Values.profileValidator.injectCaFromSecret }}
97 cert-manager.io/inject-ca-from-secret: {{ .Values.profileValidator.injectCaFromSecret }}
98 {{- end }}
99 {{- end }}
100 labels:
101 linkerd.io/control-plane-component: destination
102 linkerd.io/control-plane-ns: {{.Release.Namespace}}
103 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
104webhooks:
105- name: linkerd-sp-validator.linkerd.io
106 namespaceSelector:
107 {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }}
108 clientConfig:
109 service:
110 name: linkerd-sp-validator
111 namespace: {{ .Release.Namespace }}
112 path: "/"
113 {{- if and (empty .Values.profileValidator.injectCaFrom) (empty .Values.profileValidator.injectCaFromSecret) }}
114 caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.caBundle)) (empty .Values.profileValidator.caBundle) }}
115 {{- end }}
116 failurePolicy: {{.Values.webhookFailurePolicy}}
117 admissionReviewVersions: ["v1", "v1beta1"]
118 rules:
119 - operations: ["CREATE", "UPDATE"]
120 apiGroups: ["linkerd.io"]
121 apiVersions: ["v1alpha1", "v1alpha2"]
122 resources: ["serviceprofiles"]
123 sideEffects: None
124---
125{{- $host := printf "linkerd-policy-validator.%s.svc" .Release.Namespace }}
126{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
127{{- if (not .Values.policyValidator.externalSecret) }}
128kind: Secret
129apiVersion: v1
130metadata:
131 name: linkerd-policy-validator-k8s-tls
132 namespace: {{ .Release.Namespace }}
133 labels:
134 linkerd.io/control-plane-component: destination
135 linkerd.io/control-plane-ns: {{.Release.Namespace}}
136 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
137 annotations:
138 {{ include "partials.annotations.created-by" . }}
139type: kubernetes.io/tls
140data:
141 tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.crtPEM)) (empty .Values.policyValidator.crtPEM) }}
142 tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.policyValidator.keyPEM)) (empty .Values.policyValidator.keyPEM) }}
143---
144{{- end }}
145{{- include "linkerd.webhook.validation" .Values.policyValidator }}
146apiVersion: admissionregistration.k8s.io/v1
147kind: ValidatingWebhookConfiguration
148metadata:
149 name: linkerd-policy-validator-webhook-config
150 {{- if or (.Values.policyValidator.injectCaFrom) (.Values.policyValidator.injectCaFromSecret) }}
151 annotations:
152 {{- if .Values.policyValidator.injectCaFrom }}
153 cert-manager.io/inject-ca-from: {{ .Values.policyValidator.injectCaFrom }}
154 {{- end }}
155 {{- if .Values.policyValidator.injectCaFromSecret }}
156 cert-manager.io/inject-ca-from-secret: {{ .Values.policyValidator.injectCaFromSecret }}
157 {{- end }}
158 {{- end }}
159 labels:
160 linkerd.io/control-plane-component: destination
161 linkerd.io/control-plane-ns: {{.Release.Namespace}}
162 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
163webhooks:
164- name: linkerd-policy-validator.linkerd.io
165 namespaceSelector:
166 {{- toYaml .Values.policyValidator.namespaceSelector | trim | nindent 4 }}
167 clientConfig:
168 service:
169 name: linkerd-policy-validator
170 namespace: {{ .Release.Namespace }}
171 path: "/"
172 {{- if and (empty .Values.policyValidator.injectCaFrom) (empty .Values.policyValidator.injectCaFromSecret) }}
173 caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.caBundle)) (empty .Values.policyValidator.caBundle) }}
174 {{- end }}
175 failurePolicy: {{.Values.webhookFailurePolicy}}
176 admissionReviewVersions: ["v1", "v1beta1"]
177 rules:
178 - operations: ["CREATE", "UPDATE"]
179 apiGroups: ["policy.linkerd.io"]
180 apiVersions: ["*"]
181 resources:
182 - authorizationpolicies
183 - httproutes
184 - networkauthentications
185 - meshtlsauthentications
186 - serverauthorizations
187 - servers
188 - operations: ["CREATE", "UPDATE"]
189 apiGroups: ["gateway.networking.k8s.io"]
190 apiVersions: ["*"]
191 resources:
192 - httproutes
193 sideEffects: None
194---
195apiVersion: rbac.authorization.k8s.io/v1
196kind: ClusterRole
197metadata:
198 name: linkerd-policy
199 labels:
200 app.kubernetes.io/part-of: Linkerd
201 linkerd.io/control-plane-component: destination
202 linkerd.io/control-plane-ns: {{.Release.Namespace}}
203 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
204rules:
205 - apiGroups:
206 - ""
207 resources:
208 - pods
209 verbs:
210 - get
211 - list
212 - watch
213 - apiGroups:
214 - apps
215 resources:
216 - deployments
217 verbs:
218 - get
219 - apiGroups:
220 - policy.linkerd.io
221 resources:
222 - authorizationpolicies
223 - httproutes
224 - meshtlsauthentications
225 - networkauthentications
226 - servers
227 - serverauthorizations
228 verbs:
229 - get
230 - list
231 - watch
232 - apiGroups:
233 - gateway.networking.k8s.io
234 resources:
235 - httproutes
236 verbs:
237 - get
238 - list
239 - watch
240 - apiGroups:
241 - policy.linkerd.io
242 resources:
243 - httproutes/status
244 verbs:
245 - patch
246 - apiGroups:
247 - gateway.networking.k8s.io
248 resources:
249 - httproutes/status
250 verbs:
251 - patch
252 - apiGroups:
253 - workload.linkerd.io
254 resources:
255 - externalworkloads
256 verbs:
257 - get
258 - list
259 - watch
260 - apiGroups:
261 - coordination.k8s.io
262 resources:
263 - leases
264 verbs:
265 - create
266 - get
267 - patch
268---
269apiVersion: rbac.authorization.k8s.io/v1
270kind: ClusterRoleBinding
271metadata:
272 name: linkerd-destination-policy
273 labels:
274 app.kubernetes.io/part-of: Linkerd
275 linkerd.io/control-plane-component: destination
276 linkerd.io/control-plane-ns: {{.Release.Namespace}}
277 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
278roleRef:
279 apiGroup: rbac.authorization.k8s.io
280 kind: ClusterRole
281 name: linkerd-policy
282subjects:
283 - kind: ServiceAccount
284 name: linkerd-destination
285 namespace: {{.Release.Namespace}}
286---
287apiVersion: rbac.authorization.k8s.io/v1
288kind: Role
289metadata:
290 name: remote-discovery
291 namespace: {{.Release.Namespace}}
292 labels:
293 app.kubernetes.io/part-of: Linkerd
294 linkerd.io/control-plane-component: destination
295 linkerd.io/control-plane-ns: {{.Release.Namespace}}
296 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
297rules:
298 - apiGroups:
299 - ""
300 resources:
301 - secrets
302 verbs:
303 - get
304 - list
305 - watch
306---
307apiVersion: rbac.authorization.k8s.io/v1
308kind: RoleBinding
309metadata:
310 name: linkerd-destination-remote-discovery
311 namespace: {{.Release.Namespace}}
312 labels:
313 app.kubernetes.io/part-of: Linkerd
314 linkerd.io/control-plane-component: destination
315 linkerd.io/control-plane-ns: {{.Release.Namespace}}
316 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
317roleRef:
318 apiGroup: rbac.authorization.k8s.io
319 kind: Role
320 name: remote-discovery
321subjects:
322 - kind: ServiceAccount
323 name: linkerd-destination
324 namespace: {{.Release.Namespace}}
View as plain text